Newbie needing a sanity check before going forward

FIGMJAM

n3wb
Joined
Oct 13, 2019
Messages
1
Reaction score
0
Location
Dallas
Hi all - I've been motivated by this site to not go the easy route of a pre-packaged subscription based solution. As such, I've started to piece together my equipment which consists of Dahua 5231ZE cameras, Dell Optiplex, and Netgear GS510TLP managed POE switch. The house is already wired for the cameras so I'm hopeful that the hard work is already out of the way and now just need to understand the networking side of things. I'm planning to use Blue Iris as my software solution.

Would appreciate if someone can confirm or correct my understanding of the following initial process:
  1. Connect POE switch to router (note that I already have a large un-managed switch that handles all my other wired devices)
  2. Connect PC to POE switch (or should I connect PC directly to router?)
  3. Connect cameras one at a time to POE switch and use Dahua config tool to identify each camera and set IP address of the camera outside my routers DHCP range (does it matter if I use an address under or over the range?)
  4. Use Blue Iris to find cameras at the IP addresses set up in step 3
I've not used Blue Iris before so I need to spend some time learning the software, but my goal is to use it to view the cameras and set up rules for how many days to record. A few additional items that I need help with is:
  1. Will completing the above steps separate my cameras from the rest of my network and block them from accessing the internet? Setting up a VLAN (or separate LAN) and block internet access seems to be critical based on information here.
  2. Will I only be able to view my cameras on the PC connected to the POE switch? Ideally this PC will be located in my av rack closet so I'd like to be able to view my cameras from different PCs around the house or via iOS app.
  3. Would I be able to view my cameras when I'm away from the house, such as when I'm traveling for work?
I've spent a lot of time reading various wikis and threads but still feel like I don't have a full picture of what I need to do to get started. Appreciate any assistance.

Thanks
 

aristobrat

IPCT Contributor
Joined
Dec 5, 2016
Messages
2,982
Reaction score
3,180
For the cameras/BI PC static IPs being over/under your DHCP range, it shouldn’t matter.

When you add a camera to Blue Iris, type in the IP address, username and password, then click Find/Inspect and let BI do it’s thing. Don’t worry when it sets the make/model to Generic, everything should work fine for most Dahua models.

As for separating your cameras from your main network, I don’t think that’s a bad idea but if you’re buying cameras like Dahua from a trusted vendor like Andy, I don’t think it’s critical either. There are a few ways you could isolate with the equipment you have (although you may need a second network card in your BI machine for some). Others with more experience should hopefully add some specific tips.

If everything gets setup right you should ge able to view your cameras from phones/other PCs in the house with minimal effort. I’d recommend the Bi app for phones and the built-in web server (called UI3) for computers.

To view while you’re remote will require a safe way for you to connect from the Internet back in to your BI machine. Setting up a VPN is strongly suggested for this.
 

Philip Gonzales

Getting comfortable
Joined
Sep 20, 2017
Messages
697
Reaction score
551
Hi all - I've been motivated by this site to not go the easy route of a pre-packaged subscription based solution. As such, I've started to piece together my equipment which consists of Dahua 5231ZE cameras, Dell Optiplex, and Netgear GS510TLP managed POE switch. The house is already wired for the cameras so I'm hopeful that the hard work is already out of the way and now just need to understand the networking side of things. I'm planning to use Blue Iris as my software solution.

Would appreciate if someone can confirm or correct my understanding of the following initial process:
  1. Connect POE switch to router (note that I already have a large un-managed switch that handles all my other wired devices)
  2. Connect PC to POE switch (or should I connect PC directly to router?)
  3. Connect cameras one at a time to POE switch and use Dahua config tool to identify each camera and set IP address of the camera outside my routers DHCP range (does it matter if I use an address under or over the range?)
  4. Use Blue Iris to find cameras at the IP addresses set up in step 3
I've not used Blue Iris before so I need to spend some time learning the software, but my goal is to use it to view the cameras and set up rules for how many days to record. A few additional items that I need help with is:
  1. Will completing the above steps separate my cameras from the rest of my network and block them from accessing the internet? Setting up a VLAN (or separate LAN) and block internet access seems to be critical based on information here.
  2. Will I only be able to view my cameras on the PC connected to the POE switch? Ideally this PC will be located in my av rack closet so I'd like to be able to view my cameras from different PCs around the house or via iOS app.
  3. Would I be able to view my cameras when I'm away from the house, such as when I'm traveling for work?
I've spent a lot of time reading various wikis and threads but still feel like I don't have a full picture of what I need to do to get started. Appreciate any assistance.

Thanks
1. You can connect it to router or to your other switch, it really doesn't matter as far as it working or not.
2. I would not connect PC directly to router. It will work, but there is no need for all the camera traffic to go through the router.
3. It depends. The IP address you assign it should be in the same subnet. Most home routers use a /24 subnet mask. That means that the range is 192.168.1.1-192.168.1.254. I believe the .1 and .255 are reserved for the network and broadcast address respectively. What I usually do is create an address reservation on the router and set a static IP on the cameras. That way if the cams can't contact the router for whatever reason they will still have the static address and the router will keep that address reserved for the mac address of the camera so it will not hand it out to anyone else.
4. Yep click add camera or something along those lines and then find/inspect to get camera model and what not.

1. No, setuping up VLANS is something I have only done in a lab and played with at work. I am a system guy not a network guy though. I don't personally run separate VLANS on my home network. This will require a router that supports VLAN tagging/trunking as well as a switch that supports this as well. If this is the route you are going it may be better to consult someone with more experience than me. One thing I have heard is you can leave the default gateway blank or put in a bogus address. Then the camera cannot get out to the internet.
2. You can view your cameras on any device on the same subnet as your cameras/PC. You can do this via the UI of the cameras, the blue iris app, the blue iris web ui (ui3), etc.
3. Yes, you can forward the port of your blue iris server out to the internet. Then you could access the blue iris app and UI3 over the internet. A more secure way would be to setup VPN access to your network. I believe you can buy a router with VPN capabilities built in, I use an open VPN virtual server. I believe there is a thread called VPN primer for noobs. Look into that.
 

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
Hi all - I've been motivated by this site to not go the easy route of a pre-packaged subscription based solution. As such, I've started to piece together my equipment which consists of Dahua 5231ZE cameras, Dell Optiplex, and Netgear GS510TLP managed POE switch. The house is already wired for the cameras so I'm hopeful that the hard work is already out of the way and now just need to understand the networking side of things. I'm planning to use Blue Iris as my software solution.

Would appreciate if someone can confirm or correct my understanding of the following initial process:
  1. Connect POE switch to router (note that I already have a large un-managed switch that handles all my other wired devices)
  2. Connect PC to POE switch (or should I connect PC directly to router?)
  3. Connect cameras one at a time to POE switch and use Dahua config tool to identify each camera and set IP address of the camera outside my routers DHCP range (does it matter if I use an address under or over the range?)
  4. Use Blue Iris to find cameras at the IP addresses set up in step 3
I've not used Blue Iris before so I need to spend some time learning the software, but my goal is to use it to view the cameras and set up rules for how many days to record. A few additional items that I need help with is:
  1. Will completing the above steps separate my cameras from the rest of my network and block them from accessing the internet? Setting up a VLAN (or separate LAN) and block internet access seems to be critical based on information here.
  2. Will I only be able to view my cameras on the PC connected to the POE switch? Ideally this PC will be located in my av rack closet so I'd like to be able to view my cameras from different PCs around the house or via iOS app.
  3. Would I be able to view my cameras when I'm away from the house, such as when I'm traveling for work?
I've spent a lot of time reading various wikis and threads but still feel like I don't have a full picture of what I need to do to get started. Appreciate any assistance.

Thanks
Reading this can really help:

If you are loss let us know

I like the dual NIC - just add another NIC card on your blue iris server and you are set - no extra hardware other than a NIC card and no worries of VLAN knowledge:

It will look like this when done:


If you have questions please let us know
 
Last edited:
Joined
May 21, 2018
Messages
24
Reaction score
18
Location
Gondwanaland
Another vote for a dual NIC arrangment. Considering the current price of even Intel branded NIC's, it's a very affordable option and there's lots of posts on how to do it.
Rick
 

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
Dual NIC is not really a good security practice.

With that being said I only one run subnet at home with no vlans or any of that jazz.
Why is that? And you cannot see the entire article but it doesn't seem to go into detail to the reason why. Dual NIC would be safer than just placing your entire blue iris server on your network and allowing cams to speak to it.
 

Philip Gonzales

Getting comfortable
Joined
Sep 20, 2017
Messages
697
Reaction score
551
Why is that? And you cannot see the entire article but it doesn't seem to go into detail to the reason why. Dual NIC would be safer than just placing your entire blue iris server on your network and allowing cams to speak to it.
See links below. It bridges the two networks together. I don't know, I'm not a networking expert, it will probably be fine either way as the alternative would be hardware firewalls in between and/or not connecting BI to the internet at all. I wouldn't personally worry about it but just sharing what I've read.


 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
Why is that? And you cannot see the entire article but it doesn't seem to go into detail to the reason why. Dual NIC would be safer than just placing your entire blue iris server on your network and allowing cams to speak to it.
Generally speaking because when you dual-home a machine it doesn't really segregate the networks. In fact you're providing a potential entry point to both by bridging the networks across that machine. Whether that's significant in a given case depends on circumstances but that's the issue from a security standpoint. Where you really don't want to see that is, for example, where you have a machine connected to both a general use and a more secure network. Such machines are desirable targets since if someone can compromise the weak side, then they have control over a machine with access and authorization to the secure side. That's how various hacks/worms/ransomware have moved across and into such networks. So that architecture doesn't pass muster for defense, process control, and similar applications. You want them completely 'air-gapped' in that case.
 

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
Generally speaking because when you dual-home a machine it doesn't really segregate the networks. In fact you're providing a potential entry point to both by bridging the networks across that machine. Whether that's significant in a given case depends on circumstances but that's the issue from a security standpoint. Where you really don't want to see that is, for example, where you have a machine connected to both a general use and a more secure network. Such machines are desirable targets since if someone can compromise the weak side, then they have control over a machine with access and authorization to the secure side. That's how various hacks/worms/ransomware have moved across and into such networks. So that architecture doesn't pass muster for defense, process control, and similar applications. You want them completely 'air-gapped' in that case.
I understand. But the reason it is suggested is the alternative would be nothing for many as they are not going to buy hardware for firewalls and setting up vlans.

What are some ways you have seen people get into the BI server when only used for IP cams and you use VPN to connect to BI camera feed?
 

Philip Gonzales

Getting comfortable
Joined
Sep 20, 2017
Messages
697
Reaction score
551
Generally speaking because when you dual-home a machine it doesn't really segregate the networks. In fact you're providing a potential entry point to both by bridging the networks across that machine. Whether that's significant in a given case depends on circumstances but that's the issue from a security standpoint. Where you really don't want to see that is, for example, where you have a machine connected to both a general use and a more secure network. Such machines are desirable targets since if someone can compromise the weak side, then they have control over a machine with access and authorization to the secure side. That's how various hacks/worms/ransomware have moved across and into such networks. So that architecture doesn't pass muster for defense, process control, and similar applications. You want them completely 'air-gapped' in that case.
Well,

I guess the important question is using the dual-NIC method advantagous vs not doing it. I would think for the network traffic perspective alone it may be. What about from a security perspective? Is it more secure? I would think possibly, but if the BI host is compromised then not so much.

Sorry, didnt mean to derail this thread? Was just curious mostly. Lol.
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
I understand. But the reason it is suggested is the alternative would be nothing for many as they are not going to buy hardware for firewalls and setting up vlans.

What are some ways you have seen people get into the BI server when only used for IP cams and you use VPN to connect to BI camera feed?
Correct. It's always a trade off. In the case of someone segregating their cams from the rest of their network it's simple and it works and is better than doing nothing. I haven't seen anyone getting into BI servers, I was just speaking in general terms to explain what the articles are addressing as security concerns re dual-homed machines. Main point being that the dual-homed machine itself is an aggregation point vs truly segregating the networks as some tend to think of it.
 

Philip Gonzales

Getting comfortable
Joined
Sep 20, 2017
Messages
697
Reaction score
551
Correct. It's always a trade off. In the case of someone segregating their cams from the rest of their network it's simple and it works and is better than doing nothing. I haven't seen anyone getting into BI servers, I was just speaking in general terms to explain what the articles are addressing as security concerns re dual-homed machines. Main point being that the machine itself is an aggregation point vs truly segregating the networks as some tend to think of it.
I have heard that cameras should be kept off the internet due to backdoor vulnerabilities and what not. So as long as you don't port forward anything then you should be relatively safe against these vulnerabilities? Removing the default gateway should keep the cams from getting out to the internet themselves?

I'm asking because I'm wondering if there is a need for me and my family members to implement the dual NIC setup.
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
Generally, yes. Whatever you can do to isolate the cams from the Internet and the rest of your network is a good idea.

Doesn't mean that you'll necessarily be invincible if you do, but you'll stop most of what may happen with everything playing nicely and you'll not have easy pathways in/out.
 
Top